================================================================================ Fixes in Sterling Secure Proxy (SSP) 3.4.3.0 iFix 03 - January 2017 ================================================================================ This cumulative maintenance iFix includes the GA release of SSP Engine 3.4.3.0 and SSP Configuration Manager 3.4.3.0 plus the fixes for the issues mentioned below. The install images for the SSP Engine, CM and PS may be used to install a new image or upgrade an existing image in place. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/Build (Latest iFix / Builds first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== Action - IMPORTANT upgrade steps from SSP341x - see "SSP3418 Upgrade" for details Action - JRE upgrade turns off SSLv3 support by default - see IT07375 In iFix 3 (January 2017): HIPER - Deadlock/hang in failover code - See RTC516359 for details HIPER - CD failures after upgrade from SSP3418 to SSP3430 iFix 2 - See RTC524219 for details and workaround HIPER - 100% CPU in Maverick toolkit after a few days - See RTC524897 In iFix 2 (December 2016): HIPER - See IT17228 for information on the upgrade to IBM JRE 1.7 SR9FP50 for the latest Java security patches in the CM, Engine and PS. HIPER - See "PSIRT 5869" for security patch related to commons-fileupload-1.3.2.jar HIPER - Thousands of sockets in TIME_WAIT when JMS listener down - See RTC522699 HIPER - System outage with too many open file handles - see RTC517621 Action - SFTP Hashmacs hmac-sha256 and hmac-sha512 renamed to hmac-sha2-256 and hmac-sha2-512, respectively. See RTC492052 for details Action - Allow server only certificates for CD client authentication. See IT18066 is you need to configure this differently. Action - Ability to externalize delay for CD HttpPingResponse. See IT18178 for details. Action - See IT15063 for information on configuring the SFTP rekey counts In iFix 1 (July 2016): HIPER - CD Adapter failures causing high CPU - See RTC496962 Action - SFTP Hashmacs hmac-sha256 and hmac-sha512 renamed to hmac-sha2-256 and hmac-sha2-512, respectively. See RTC492052 for details =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Build 99 (January 2017) RTC524897/IT18695 (Engine) - 100% CPU in Maverick toolkit after a few days =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Plus Build 94 (January 2017) RTC517058/IT17567 (Engine) - FTPS data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3. RTC525081/IT18698 (Engine) - Numerous Maverick NullPointerExceptions in systemout.log after SSP3420 iFix 9 RTC525909/ (Engine) - Error messages "peer not authenticated" in load test logs for C:D sessions RTC525956/ (Engine) - SFTP concurrency test produces number of NPEs =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Plus Build 87 (December 2016) RTC516359/IT18163 (Engine) - Deadlock/hang in failover code RTC523287/IT18529 (Engine) - SEAS-Agent timeouts are hanging other SFTP Adapters including ones not dependent on SEAS RTC524219/IT18552 (Engine) - CD failures after upgrade from SSP3418 to SSP3430 iFix 2 =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Build 83 (December 2016) RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. RTC523578/ (Engine) - CD Protocol unable to use keycert in HSM =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 81 (December 2016) RTC512573/IT18260 (Engine) - HTTP connections fail with SSE0102E secure connection failures after upgrade to SSP 3.4.2 RTC518916/IT18164 (Engine) - CD "PNODE Host controls SSL Protocol" netmap setting fails in some circumstances RTC519253/IT18066 (Engine) - (CD) Allow server only certificates for client authentication RTC519510/IT18176 (CM,Engine) - Do not enforce common name checking if CD client authentication not turned on RTC520046/IT17985 (CM) - Unable to use a custom channel name in the JMS configuration RTC520758/IT18178 (CM) - Externalize delay for CD HttpPingResponse. RTC521075/IT18187 (CM) - 2 special characters in CM password when special characters required RTC521835/IT18266 (Engine) - Do not seed SecureRandom when using HSM with CD RTC522699/IT18216 (CM) - Thousands of sockets in TIME_WAIT when JMS listener down =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 75 (November 2016) RTC508303/ (Engine) - CDzOS via SSP produces XXDR021I in CD Windows statistics. RTC513451/IT17846 (CM,Engine) - Updated to use Maverick sshd 1.6.27, j2ssh 1.6.23 RTC514315/IT17373 (CM) - Import of CA trusted file with multiple CA Certs gets corrupted RTC517621/IT17983 (Engine,PS) - Too many open file handles lsof output “can't identify protocol” entries RTC519864/IT17988 (Engine) - 2 ciphers missing from supported ciphersuites list RTC519966/IT18001 (CM) - Admin user can't be deleted in SSPCM Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 69 (October 2016) No Defect/IT17228 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR9FP50 for latest security patches PSIRT 5869 (CM) - Updated to use commons-fileupload-1.3.2.jar RTC496054/ (CM) - Error messages found in installation and CMS logs for both Engine and CM. RTC493866/ (Engine,PS) - Too many open file handles RTC508898/ (Engine) - (CD) With CHECKPOINT and FASP=SSP; SUSPEND hangs session RTC508901/ (Engine) - (CD) Submit process on Snode using FASP does not end session gracefully RTC510635/IT16815 (Engine) - HSM certificates causing SSP0229E Exception Securing connection or Sending data, java.lang.NoClassDefFoundError - com.sterlingcommerce.security.util.SCIHSMManager RTC511154/IT16980 (Engine) - (CD) C:D adapter fails to send "Http Ping Response" string consistently RTC511666/IT17151 (CM) - Unable to invoke iKeyman bundled with SSP on Solaris 10 with error: "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" RTC511903/IT17121 (Engine) - (SFTP) Slow upload speed via SSP on Solaris RTC511928/IT17359 (CM) - (HSM) Cannot delete old certificates in the CM HSM Keys list after upgrade RTC513206/IT17358 (CM) - SSPCM allows the password change step to be bypassed RTC513984/ (Engine, - Enhancement to allow silent Installs for SSP, CM, PS) SSPCM, PS and SEAS RTC516459/IT17419 (CM) - The manageCSRs.sh script gets a NullPointerException when attempting to create a CSR Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 47 (August 2016) RTC502863/IT16819 (CM,Eng) - (SFTP) Support hmac-sha256 & hmac-sha256@ssh.com RTC504898/IT16824 (CM) - (REST) XMLSchemas for Import RESTAPI Requests RTC505522/IT16713 (Engine) - (FTP/S) Enabling CCC causes transfers to fail RTC508526/IT16700 (CM) - Allow CM Admin to control locked account msgs RTC509062/IT16642 (PS) - (PS) Install issues with Windows service names RTC510313/IT16560 (CM,Eng) - (SFTP) Allow buffer lengths greater than 128K RTC510634/IT16823 (Engine) - (SFTP) SCP presents a RC 1 after successful GET RTC511478/RFE511476 (CM,Eng)- (SFTP) Force one line password prompt Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 34 (August 2016) RTC507008/IT16396 (Engine) - (CD) Memory usage increases and process slowdown with C:D wildcard copies. RTC508872/IT16456 (Engine) - SFTP public key auth failures cause locked accounts sooner in SSP3430. RTC509910/IT16488 (Engine) - (CD) SSP3430 causing data overrruns when inbound unencrypted, outbound secure. =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Build 29 (July 2016) SSP3418 Upgrade (CM) - New SspCMCertConvertUtil tool to convert keys to SSP3420/SSP3430 format before upgrade RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure RTC495433/IT14514 (CM) - manageKeyCerts import fails with java.lang.NullPointerException RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS RTC492949/IT15184 (Engine) - (SFT) Getting DH_GEX group out of range RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig RTC497092/IT14615 (Engine) - Engine Shutdown issue RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility Logging Improvement (Engine) - C:D certificate failure logging improvements RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them RTC505169/IT15947 (CM) - HTTP Security headers were missing. RTC505320/IT15946 (CM) - Traversal of SSP CM Webapp root RTC505321/IT16020 (CM) - Accessing SSP CM using expired session id RTC505585/IT15949 (CM) - SSP CM allows methods other than GET or POST RTC505702/IT16080 (CM) - Enhancements to password policy rules =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== SSP3418 Upgrade (CM) - New SspCMCertConvertUtil tool to convert keys to SSP3420/SSP3430 format before upgrade Some Customers who upgraded to SSP3420/SSP3430 had SHA256 keycerts in PKCS#8 PEM format in their keystore, which is the way they were stored in the pre-SSP3420 CM. After upgrading, these keys could not be read by the new IBM toolkit, due to a couple of OID fields. Resolution: Now supply a new SspCMCertConvertUtil with the SSP3418 CM which can be run just before upgrading to SSP3430 to convert the keystore(s) in place to PKCS#12 format, which is the format that SSP3430 uses. Once the conversion is done, the SSP3418CM image must be upgraded immediately to SSP3430CM. Here are the steps for using the new script. 1) Obtain the latest 3418 maintenance (iFix 8+ or higher) and the latest 3430 maintenance (iFix 1 or higher) on Fix Central: http://www.ibm.com/support/fixcentral/swg/selectFixes? parent=ibm~Other%2Bsoftware& product=ibm/Other+software/Sterling+Secure+Proxy& release=3.4.1.8&platform=All&function=all 2) Shut down and back up your existing 341x Engine, CM and PS instances. 3) Upgrade the 341x CM to the latest 3418 SSPM CM patch 4) Run bin/SspCMCertConvertUtil.sh (or .bat) 5) Select Yes to convert existing 3418 SSP CM keycerts or select no to exit the script 6) If yes is selected, this script will first backup the entire SSP CM current conf instance 7) Script will then convert all SSP CM keycerts that are in 341x format into SSP3420/SSP3430 CM keycert format 8) Once the script runs to completion, upgrade the SSP CM, Engine, and PS instances to SSP3430 9) Note: Once the script is run, the SSP3418 conf directory may no longer be used for SSP3418. Either convert to SSP3430 or restore the backed up copy. Note: If there is a need to go back to 341x, restore the backed up copies. The alternative is to upgrade directly to SSP3430, import the PCKS12 versions of your SHA256 keycerts into your system key store and point your netmaps to the new versions. No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default This JRE was included with SSP3430 GA. SSP only allow TLS sessions by default and will reject SSLv3 sessions. If the SSLv3 protocol is required until trading partners can switch to TLS, then for UNIX/Linux, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/startEngine.sh script. For Windows, add the property to the " lax.nl.java.option.additional=" line in the bin\SSPengine$.lax file. In addition, edit the /jre/lib/security/java.security to change the following line from jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 to jdk.tls.disabledAlgorithms=RC4, MD5withRSA, DH keySize < 768 See http://www.ibm.com/support/docview.wss?uid=swg21695265 for more information. No Defect/IT17228 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR9FP50 for latest security patches This JRE includes the quarterly Java security patches through July 2016. See http://www.ibm.com/support/docview.wss?uid=swg21991287 for details. PSIRT 5869 (CM) - Updated to use commons-fileupload-1.3.2.jar Resolution: Upgraded to use commons-fileupload-1.3.2.jar to resolve a possible security vulnerability. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21995611. RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names Customer was attempting to configure their SFTP to use HMACs of 256 or higher. SFTP handshakes were getting a mismatch of the hmac algorithm names. SSP was presenting "hmac-sha256" and "hmac-sha512", but should have been using "hmac-sha2-256" and "hmac-sha2-512". Resolution: Now properly present the "hmac-sha2-256" and "hmac-sha2-512" hmac names. Action: If you have previously selected the "hmac-sha256" or "hmac-sha512" HMacs in the adapter Security tab or the netmap node Security tab, they will be de-selected during this upgrade, and you must reselect the "hmac-sha2-256" and/or "hmac-sha2-512" hmacs. RTC492949/IT15184 (Engine) - (SFTP) Getting DH_GEX group out of range Customer running with newer openSSH command line client getting DH_GEX group out of range during session initialization. Resolution: Updated the SFTP Maverick toolkits to SSHD 1.6.17 (front end server side) and J2SSH 1.6.15 (back end client side) for more advanced Diffie-Hellman Key negotiation. RTC493866/ (Engine,PS) - Too many open file handles Customers getting Too many open file handles and when they do the lsof command to list the open files/sockets, many of the lines contain “can't identify protocol”. This can lead to an outage of SSP where no new connections can be accepted. Workarounds: 1) stop and restart the HTTP adapters to release the hung sockets. 2) Increase the OS ulimit for maxopenfiles. Resolution: Updated the local and remote Perimeter Server jar files to correct problems where the file handles are not closed properly. RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure HTTP client logging onto the SSO portal and then onto Sterling File Gateway is getting a blank screen instead of a 500 error message when the login fails. Resolution: Added the text "Internal Server Error" to the message body for the 500 error response and pass it back to the user on login failure. RTC495433/IT14514 (CM) - manageKeyCerts import fails with java.lang.NullPointerException The manageKeyCerts.sh utility fails with "Unexpected exception: java.lang.NullPointerException" when attempting to import a PKCS12 keycert into HSM. Resolution: Changed manageKeyTool to persist imported keys by saving off the private key. RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server When SFTP proxy adapter times out on the client, the socket connection stays in FIN_WAIT2 state. Resolution: Modifed code related to close functionality. RTC496054/ (CM) - Error messages found in installation and CMS logs for both Engine and CM. Numerous error messages seen in log during installation or configuration update: ERROR SspEngineBuilder - routing type STD. They were introduced by Build 54. Resolution: Removed the superfluous message. RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" After several hours or days of running, the Perimeter Server can get the message, "Too many open files", or "Max concurrent circuits reached: size is:4096", and all incoming connections are rejected. The C:D adapter was not closing the connections from the load balancer heartbeat pings correctly, causing an accumulation of circuits in the PS and leftover file descriptors showing up in a lsof command. Customers with a ulimit of 1024 for max open files per user will get the former message, while others will get the latter. Resolution: Updated the C:D adapter code to better handle a load balancer ping operation which does not do a clean close of the socket after connecting. These connections should get cleaned up by the Java garbage collector over time. The Customer should also set the kernel ulimit max open files value to 4096 or higher to allow time for the normal recycling of the load balancer ping sockets. RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present If an SFTP policy is configured to use a mapped routing key name from SEAS to connect to the backend server, a Null Pointer Exception can occur if the user does not have a mapped password defined.  When attempting to connect to the SSP SFTP adapter, the user will not be able to login, and the following exception will occur in the adapter log: java.lang.NullPointerException at java.lang.String.          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.registerBackend          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.logonUserHelper          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.logonUser          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.verifyPassword          at com.sterlingcommerce.cspssh.daemon.SftpAccessInstance.verifyPassword Resolution: Now correctly handle the situation where SEAS returns a mapped routing key name, but not a mapped password. RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS When the C:D adapter recovers from a connection failure to the More Secure Perimeter Server, it restarts its listener on the inbound PS but no longer services connections coming in. As the load balancer continues to hit the CD port, it can lead to a "Max concurrent circuits reached: 4096" error on the PS and all inbound traffic turned away. Resolution: Corrected the recovery logic in the CD adapter to ensure that the inbound listener is brought up and the adapter continues to service connections. RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. SI/B2Bi 5.2.6.1 uses the fix provided in the IBM JRE (JSSE) to break up packets when using CBC cipher suites and TLS 1.0. The short packet during the initial FMH 68/72 exchange was causing SSP to issue message CSP900E Logged Exception : Invalid Connect:Direct FMH Resolution. Now handle SSL fragmentation caused by remediation for the CBC BEAST TLS 1.0 PSIRT advisory. Workaround: There are 2 known workarounds to this problem - 1) Switch to using TLS 1.2 between SSP and SI, as the BEAST "fix" only gets used with TLS 1.0 2) Update the SI 5.2.6.1 startup script(s) to add "-Djsse.enableCBCProtection=false" in the Java startup line(s). RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig During a configuration push from the CM to the engine, getting multiple java.lang.RuntimeException: Problem with reflection based marshalling. Invalid data was being passed to SSP Engine Converter method. Resolution: Added logic to detect when an invalid data is passed into the converter method and handle it properly RTC497092/IT14615 (Engine) - Engine Shutdown issue Customer could not shut down the SSP engine from the command line using either stopEngine.sh mode=auto or the regular ./stopEngine.sh. Resolution: Added logic to SSP code base so that the TLS protocol is no longer hard-coded for SSP engine shutdown module. RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes Customers experiencing intermittent failures during SSL handshaking in CD, FTP, or HTTP sessions. A PEMHelper utility class which feeds certificates to the SSL/TLS handshake process had objects defined in such a way that they were not thread-safe, causing unpredictable outcomes when multiple sessions were attempting to do simultaneous handshakes.  Resolution: Corrected the objects in the PEMHelper class to be thread-safe.   RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. Under certain circumstances, the rekey limit is causing SFTP transfers to stall. The sftp_rekeycount property defaults to 20000 by default, which allows 20k packets to flow before requesting a new key exchange. However, the SSP FTP daemon and the SSH Maverick toolkit are both keeping track of the packet count, which can cause a hang when both request a rekey at the same time. Turned off requesting rekey operations on the back end session to SI within the SFTP adapter. Added a new property, sftp_backend_rekeycount, with a default of zero, to specify the number of packets between rekeys on the backend session to SI, in case a Customer needs to turn it back on. Also updated the Maverick toolkit to get the latest versions with any impact on re-key issues. RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail There was an internal error during startup of the CM and the internal ManagedAccepterService never came up, which caused logins to fail. Resolution: Added the ManagedAccepterService to the list of global services so it would start sooner in the process. RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers The SSP CM is missing the following HTTP security headers: Cache-Control: no-cache,no-store Pragma: no-cache X-Content-Type-Options: nosniff X-XSS-Protection: 1 Resolution: Added the missing HTTP security headers to the SSP CM. RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility CmSslConfigTool was unable to successfully import pkcs12 certificates. Resolution: Added logic that allows for the public certificate to be extracted from pkcs12 into SSP CM truststore. Logging Improvement (Engine) - C:D certificate failure logging improvements Trusted certificates that contain comments or too many characters on a line may not be able to be parsed by SSP 3.4.2, even though they worked in SSP 3.4.1. Resolution: Added code so that if SSP fails to parse a trusted certificate, the name of the offending certificate is logged. RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication When using the SSP REST API to create a new CM user that uses external authentication, an error will occur if a password is not specified.  Since authentication is done externally, a password should not be required in SSP. Resolution: The SSP REST API code has been changed so that passwords are not required for new CM users that use external authentication. RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists When using the SSP REST API to delete a C:D netmap node, and the node being deleted is referenced by another node’s ACL, the REST API will return a successful response, but the node will not be deleted. Resolution: The SSP REST API code has been updated to return a meaningful error message if a node cannot be deleted because it is referenced by another node's ACL. RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them After installing a more secure perimeter server, it is possible that the Windows service used to start and stop the perimeter server will be named using the wrong port number.  If this new Windows service name overwrites an existing service, the perimeter server corresponding to the old Windows service cannot be started. Resolution: The code has been changed so that the name of the perimeter server always contains the port number that the SSP Engine will listen on. This guarantees that the Windows Service name corresponds to the correct server. RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled With FIPS mode enabled in SSP, a null pointer exception can occur if the group-exchange-sha256 key exchange algorithm is enabled in the outbound netmap node. Resolution: Code has been added so that SSP can use the group-exchange-sha256 key exchange algorithm, in FIPS mode, for connections to the backend server. RTC502863/IT16819 (CM,Eng) - (SFTP) Support hmac-sha256 & hmac-sha256@ssh.com Previously, SSP did not support the following HMAC algorithms for SFTP adapters and outbound nodes: hmac-sha256 and hmac-sha256@ssh.com. Resolution: Added support for hmac-sha256 and hmac-sha256@ssh.com. RTC504898/IT16824 (CM) - (REST) XMLSchemas for Import RESTAPI Requests Resolution: XSD files are now provided to allow XML validation. Sample programs were changed to show validation using the appropriate xsd file. Note: Because netmapDef was re-used for cd, ftp, http, pesit and sftp and ftpPolicyDef was reused for ftp and sftp, changes were required to allow for xsd validation of import/export XML files. These changes also required modifications in the SSP CM, so CM must be upgraded to this level in order to use the xsd's provided. RTC505169/IT15947 (CM) - HTTP Security headers were missing. Resolution: Added the following security headers 1) Cache-Control: no-cache,no-store and Pragma: no-cache 2) X-Content-Type-Options "nosniff" 3) X-XSS-Protection "1" 4)Strict-Transport-Security - Note: Chrome may require some tweaking when CM server certificate CN does not match host name see https://support.opendns.com/entries/66657664-Chrome-for-Windows-only- HSTS-Certificate-Exception-Instructions for mitigation for chrome See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505320/IT15946 (CM) - Traversal of SSP CM Webapp root Under certain conditions, a browser user is able to traverse the SSP CM webapp root directory. Resolution: Added logic in SSP servlet filter to block directory traversal. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505321/IT16020 (CM) - Accessing SSP CM using expired session id The SSP CM Dashboard web session was not being reset during a logoff operation. Resolution: Added logic to always reset the SSP CM Dashboard web session during a logoff operation. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505522/IT16713 (Engine) - (FTP/S) Enabling CCC causes transfers to fail When CCC (Clear Control Channel) is enabled on the inbound node for the connection from FTP Client to SSP FTP Proxy, the session fails after the CCC command is sent by the client to SSP. Resolution: SSP was updated to correctly interface with the newer PS. RTC505585/IT15949 (CM) - SSP CM allows methods other than GET or POST User was able to send a method request other than GET and POST to the SSP CM server and get a response back. Resolution: Modified the SSP CM web.xml to only honor GET and POST methods. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505702/IT16080 (CM) - Enhancements to password policy rules Resolution: Now allow the SSP CM admin to specify the allowed special characters and also to specify the number of consecutive repeating characters within a new password string RTC507008/IT16396 (Engine) - (CD) Memory usage increases and process slowdown with C:D wildcard copies. A C:D process with a large number of steps (e.g. a wildcard copy) continues to consume resources and processing slows down as more and more objects are added to SSP session document. Resolution: Refactored the way the SSP session document is manipulated to make it more efficient. RTC508303/ (Engine) - CDzOS via SSP produces XXDR021I in CD Windows statistics. C:D Windows stats shows XXDR012I RC 4 for processes between C:D Windows and C:D z/OS when going through SSP. Resolution: Now explicitly specify the ISO-8859-1 character set for "bytes to string" and "string to bytes". RTC508526/IT16700 (CM) - Allow CM Admin to control locked account msgs After SSP3430 iFix 1, the CM user is notified when its account is locked Resolution: Added a check box in SSPCM System Setting's tab to allow the Admin to indicate whether a CM user should be notified of a locked condition. RTC508872/IT16456 (Engine) - SFTP public key auth failures cause locked accounts sooner in SSP3430. When the "Key or Password" authentication policy is used in SSP's SFTP adapter and a user's key is invalid, the account gets locked after one failed password attempt. The public key authentication failure is recorded twice, causing one subsequent failure of a password attempt to lock the account for SSP's lockout period. Resolution: Ensure the SSH User Key authentication failure is not counted twice. Workaround: Raise the "User Lockout Threshold" from the default of 3 in the Credentials -> User Stores section of the CM. (This value is used whether or not the user account is in the SSP user store). RTC508898/ (Engine) - (CD) With CHECKPOINT and FASP=SSP; SUSPEND hangs session Doing CDZ PNODE to CDU SNODE PULL with a checkpoint interval (100K) and FASP=SSP. Suspend from CDZ hangs session. Last thing seen is CDZ sends exception response with sense code 08240118 to CDU then goes into receive, and after receiving all data and FMH80's buffered in SSP, final receive waits for a response that never comes. Unable to flush process, so CDZ must be shut down. Resolution: FASP connection was being closed prematurely when it should have waited for the LIC on the data. The code has been updated to do so. RTC508901/ (Engine) - (CD) Submit process on Snode using FASP does not end session gracefully The positive response from the SNODE to the PNODE after the FM7404 was not being waited on. Reslution: Now wait on the positive response correctly.   RTC509062/IT16642 (PS) - (PS) Install issues with Windows service names After SSP3430 iFix 1, The Windows Service name for the Remote Less Secure PS includes the local listen port number and for the More Secure PS, it includes the port number of SSP to which PS will connect. If there are more than one More Secure PS servers running on one host, pointing to the same port, the PS windows service name will not be unique and cause problems. Resolution: To make the Remote PS Windows service name unique, the IP address of the host on which the PS listens (Less Secure PS) or the IP address of the SSP to which the PS connects (More Secure PS) is appended to the service name in addition to the port number. Example PS name: IBM Sterling Perimeter Server V4.6.6.2 for SSP 3.4.3.0 on 3000 1.2.3.4 Windows Service name: SSP_PerimeterServer_3000_1.2.3.4. RTC509910/IT16488 (Engine) - (CD) SSP3430 causing data overrruns when inbound unencrypted, outbound secure. With SSP3430 in front of a B2Bi CD server adapter, the CDSA may get Java NullPointerException or IndexOutOfBoundsException when the C:D inbound session is unencrypted and the back end (outbound) node uses Secure Plus. When SSP encrypted the data from the inbound RU, it went beyond the negotiated RU size on the back end, causing the data overrrun exceptions. Resolution: Now properly break up the data from the unencrypted buffer into chunks which fit in the outbound RU, using multiple RUs as required. RTC510313/IT16560 (CM,Eng) - (SFTP) Allow buffer lengths greater than 128K Unable to upload files via SFTP if client is using a buffersize > 128K. Customer attempting to connect from command line sftp with larger buffer parm -B240000. Connection is ok, but during the upload the SSP Maverick toolkit gets an error. Maverick log is showing com.maverick.sshd.Subsystem - Incoming subsystem message length 240043 exceeds maximum supported packet length 131328 com.maverick.ssh.ExecutorOperationSupport - Caught exception in operation remainingTasks=0 java.nio.BufferOverflowException at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) ~[?:1.7.0] at java.nio.ByteBuffer.put(ByteBuffer.java:832) ~[?:1.7.0] at com.maverick.sshd.Subsystem.parseMessage(Subsystem.java:137) Resolution: Now set the default allowed buffersize supported to be 256K. Override using the sftp.maxPacketLength property. Note: Maverick toolkits were upgraded to SSHD 1.6.24 and J2SSH 1.6.22. RTC510634/IT16823 (Engine) - (SFTP) SCP presents a RC 1 after successful GET When a file is downloaded from SI SFTP Server Adapter thru SSP using the command line scp command, the scp client reports a Return Code of 1 instead of 0 for success. The scp put operations return a 0 as expected. Resolution: Made change to SSP to close the connection properly so the command line scp client reports 0 Return Code for "get" operations. RTC510635/IT16815 (Engine) - HSM certificates causing SSP0229E Exception Customer has certificates stored in an HSM and upgrading to SSP 3.4.3. When securing connections or sending data, getting java.lang.NoClassDefFoundError - com.sterlingcommerce.security.util. SCIHSMManager. Resolution: Corrected SSP code and PS jar file to properly reference the failing class. RTC511154/IT16980 (Engine) - (CD) C:D adapter fails to send "Http Ping Response" string consistently Customer using the HTTP ping response for the C:D adapter to streamline the communication with the load balancer. After upgrading to SSP3420 iFix 8 (or SSP3430 iFix 1), the response was not being sent to the load balancer consistently. Resolution: SSP was closing the socket after writing the HTTP ping response before PS got a chance to complete its work. Added a 200ms delay after writing the HTTP response before closing the socket. RTC511478/RFE511476 (CM,Eng)- (SFTP) Force one line password prompt When the SFTP adapter is configured with the "Key or Password" authentication mechanism it was causing a multiple line password prompt to be displayed. Resolution: Added support for a new property in the SFTP adapter Property tab. kb.single.password.prompt=false is default is keeps a multi-line password prompt in keyboard interactive mode when using "Key or Password". Setting kb.single.password.prompt=true forces a one-line prompt. RTC511666/IT17151 (CM) - Unable to invoke iKeyman on Solaris 10. The IBM hybrid JRE on Solaris delivers ikeyman as a call to the native Java with a class to execute. However, if the JAVA_HOME doesn't point to the IBM JRE, it gets "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" Resolution: Corrected Solaris installers for SEAS, SSP, SSP_CM and PS to modify jre/bin/ikeyman so that it always invokes the installed IBM JRE. RTC511903/IT17121 (Engine) - (SFTP) Slow upload speed via SSP on Solaris SSP was not automatically using Solaris hardware encryption to speed up its crypto processing. Resolution: Updated the installer to change the the java.security file on Solaris to include the security provider for Solaris hardware encryption. RTC511928/IT17359 (CM) - (HSM) Cannot delete old certificates in the CM HSM Keys list after upgrade Certificates installed into HSM using pre-SSP3420 had a different provider than is supported with the new IBM toolkit. Resolution: Updated the code to delete the old certificates successfully. RTC512573/IT18260 (Engine) - HTTP connections fail with SSE0102E secure connection failures after upgrade to SSP 3.4.2 Starting in version 3.4.2, a change was made in SSP to make use of the IBM JSSE as a security provider for SSL instead of Certicom. Certicom used only one thread to process the events related to SSL handshakes. For the IBM JSSE, a thread pool was introduced for processing the events. along with a new local perimeter server property, perimeterServices.tlsDefaultThreadsPerAdapter=1, specifying the number of threads in the pool. However, the default value of 1 resulted in not having enough threads to handle even small spikes in TLS handshakes. Resolution: Change the value of the local perimeter services property in /bin/perimeter.properties to perimeterServices.tlsDefaultThreadsPerAdapter=5. RTC513206/IT17358 (CM) - SSPCM allows the password change step to be bypassed When the administrator sets a CM user's password for first time or resets it and the user is required change the password initially entered by the admin, it is possible to bypass the mandatory password change and access the CM. Resolution: Locked down the access in the case of a required password change. RTC513451/IT17846 (CM,Engine) - Updated to use Maverick sshd 1.6.27, j2ssh 1.6.23, common 1.6.11 Resolution: Upgraded to newer Maverick toolkits to resolve several underlying issues. RTC513984/ (Engine, - Enhancement to allow silent Installs for SSP, CM, PS) SSPCM, PS and SEAS InstallAnywhere Silent Install is a feature which allows for automated installs without questions and answers from the console. It can be used for repetitive installs at Customer sites. The administrator first does the product install in "record" mode which builds an installation properties file for subsequent silent installs in "replay" mode. The SSP Engine, CM, PS, and SEAS have all been updated to allow silent installs. RTC514315/IT17373 (CM) - Import of CA trusted file with multiple certs or comments getting corrupted or rejected Customer imports a trusted.txt file that contains several CA certificates into the truststore (Credentials > Trusted Certificate Stores). The certificates import but in the Certificate Data window, it indicates only 1 of 1 certificates is imported though you are able to see the multiple BEGIN and END embedded certs. Also trusted files with imbedded comments before or after the BEGIN CERTIFICATE / END CERTIFICATE pairs were being rejected. Resolution: Updated the import logic to remove comments and blank lines during the import process and process multiple certs in one file. Also updated the CM during startup to clean trusted files already loaded in the truststore. RTC516359/IT18163 (Engine) - Deadlock/hang in failover code When Failover is setup in continuous mode and a more secure Remote PS is setup between SSP and the backend Server, if the backend Server goes down, it may result in a deadlock in the SSP Adapter threads. When the backend Server is active again, SSP Adapter may not be accepting new connections, causing the enging to appear hung. Resolution: Modified failover logic to avoid the deadlock. Note: RTC516359 is also internally called RTC524026. RTC516459/IT17419 (CM) - The manageCSRs.sh script gets a NullPointerException when attempting to create a CSR The manageCSRs.sh script gets a NullPointerException after generating the private and public key and attempting to place it in the keystore. Resolution: Now set the default keystore provider to be the IBM JCE. RTC517058/IT17567 (Engine) - FTPS passive data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3. After upgrading to SSP3420 or SSP3430, Secure FTP client sessions were hanging intermittently on data operations, such as directory listings, sending and receiving files. The TLS handshake was failing to start, causing a timeout. Resolution: Fixed a race condition when opening the data channel and responding to the TLS handshake for the client. RTC517621/IT17983 (Engine,PS) - Too many open file handles - lsof output Round 2 of issue with having sockets show up as leftover and in an unusual state (can't identify protocol) in a lsof command after hours of running. This can lead to the PS running out of available "channels". Resolution: Updated the PS code (local and remote) to automatically close sockets which are detected to be in this unusual state. RTC518916/IT18164 (Engine) - CD "PNODE Host controls SSL Protocol" netmap setting fails in some circumstances When SSP is connecting to the real SNODE, specifying "PNODE Host controls SSL Protocol" and the real SNODE doesn't support TLS1.2 and has specified OVERRIDE=N, the handshake fails. Resolution: Now recognize that "PNODE Host controls SSP Protocol" is set and the adapter allows differing encryption levels, and attempt to do a handshake supporting all protocols with the SNODE. The SNODE then decides what it can and cannot do. RTC519253/IT18066 (Engine) - (CD) Allow server only certificates for client authentication If Secure+ and client authentication is turned on for a CD PNode, and the node presents a certificate with "Netscape Cert Type: SSL Server" and does not also indicate an Extended Key usage of SSL Client, the SSL handshake fails with CSP057E "exception in processing com.ibm.jsse2.util.j: Netscape cert type does not permit use for SSL client". This is an RFC restriction imposed by the IBM JSSE toolkit. Resolution: SSP is updated to allow SSL Server certificates for CD client authentication by default. A new property can be set in the CD adapter, AllowServerOnlyCertForClientAuth, to override this behavior. Settings are: true - (default) allow the handshake and produce message CSP998I to list the PNode and subject name of the certificate listcert - same as true, but also append the full certificate listing false - reject the handshake with message CSP997E. RTC519510/IT18176 (CM,Engine) - Do not enforce common name checking if CD client authentication not turned on The SSP CD adapter was failing PNode connections when common name checking was checked in the netmap, but client authentication was not. Resolution: Now ignore the common name checking flag during CD handshaking if the client authentication flag is not checked and put out a warning message instead. RTC519864/IT17988 (Engine) - 2 ciphers missing from supported ciphersuites list Two ciphers (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) were missing from the supported ciphersuites. Resolution: Added the ciphers to the supported ciphersuites. RTC519966/IT18001 (CM) - Admin user can't be deleted in SSPCM After installing the SSPCM and adding a new user with Admin privileges, the Customer was unable to delete the original default "admin" account. The Customer's site security required removing the default account. Resolution: Corected the code to allow deleting the "admin" account from another account with Admin privileges. RTC520046/IT17985 (CM) - Unable to use custom channel name in the JMS configuration The Customer defined a custom channel name in addition to the default "", but the custom channel name was overriden by the default. Resolution: Correct the code that was overriding the custom channel name so that it could be used to send messages. RTC520758/IT18178 (CM) - Externalize delay for CD HttpPingResponse. When the SSP CD adapter is configured to accept HTTP pings, SSP writes the ping response and closes the socket before the PS gets a chance to complete sending the response to the load balancer. Resolution: Now add a 200ms delay after writing the HTTP response before going to final to close socket. Delay can be adjusted with CD Adapter property HttpPingResponseDelay=200 (default). Value is in milliseconds. RTC521075/IT18187 (CM) - 2 special characters in CM password when special characters required When the SSPCM password policy was set to require a special character, the password was being forced to include at least two special characters. Resolution: Now only require one special character when the passsord policy is enabled with "must have special character". RTC521835/IT18266 (Engine) - Do not seed SecureRandom when using HSM with CD CD sessions fail with "session.logic.engine not found in Parameters" when using ncipher HSM. The HSM random number generator does not accept seeding. Resolution: Removed code which was attempting to seed SecureRandom during TLS connections when the key certificate is in the ncipher HSM. RTC522699/IT18216 (CM) - Thousands of sockets in TIME_WAIT when JMS listener down After configuring SSP CM to publish messages to WebSphere MQ, Customer found a huge amount of sockets in TIME_WAIT status with destination of the queue manager and originating from the SSP CM. The excessive sockets used up file descriptors in their system. Resolution: Added logic to log JMS connection failures, and then added a 20 second delay between connection attempts to limit the growth of sockets when the JMS queue is down. RTC523578/ (Engine) - CD Protocol unable to use keycert in HSM The C:D protocol was unable to use a key/certificate stored in HSM, getting CSP900E Logged Exception : no valid keycert found - exception. Resolution: Added the logic to correctly handle referencing keycerts in an HSM device when using the C:D protocol. RTC523287/IT18529 (Engine) - SEAS-Agent timeouts are hanging other SFTP Adapters including ones not dependent on SEAS SFTP sessions which go through SEAS and hang during a logoff operation can cause sessions on other SFTP adapters which do not use SEAS to hang. Resolution:   Placed the logic for doing SFTP logoffs in a separate thread pool so that they do not hold the EventServiceImplementation lock while doing the logoff operations. RTC524219/IT18552 (Engine) - CD failures after upgrade from SSP3418 to SSP3430 iFix 2 When upgrading SSP3418 or below to 3420 or 3430, the old Certicom SSL Context values were not properly converted to IBM JSSE SSL Context values. This caused java.security.NoSuchAlgorithmException - TLS1-ONLY on CD transfers. Resolution: Now convert the old Certicom SSL Context values to the IBM JSSE SSL Context values during CD SSL handshaking. RTC524897/IT18695 (Engine) - 100% CPU in Maverick toolkit after a few days Customer found that his engine was reaching 100% CPU after several days. Javacore showed that there were several threads looping in Maverick code. Resolution: Update Maverick toolkits to SSHD 1.6.30 and J2SSH 1.6.25 RTC525081/IT18698 (Engine) - Numerous Maverick NullPointerExceptions in systemout.log after SSP3420 iFix 9 The fix for RTC523287 introduced a new thread to handle SFTP logoffs. However, it attempted to reference a Maverick Connection object which became stale. Since the NPE happened after the client had disconnected, it had no effect on transfers, etc. Resolution: Now get the information from the Maverick Connection object before invoking the SFTP logoff thread. RTC525909/ (Engine) - Error messages "peer not authenticated" in load test logs for C:D sessions In our local testing there were numerous "peer not authenticated" error messages in the C:D logs, although the sessions completed normally. If the sessions were configured to require client authentication by the PNode, the messages were not produced. Resolution: Now bypass emitting the message if the PNode is not configured to do SSL client authentication. RTC525956/ (Engine) - SFTP concurrency test produces number of NPEs Our concurrencly load testing was turning up numerous NullPointerExceptions in BackendSftpSubsystem.java, after RTC523287 and RTC525081. Resolution: Now serialize the usage of the session object to eliminate the NPE.